Inherited Site Security Review » History » Version 4
Jon Goldberg, 11/09/2020 07:36 PM
1 | 4 | Jon Goldberg | {{last_updated_at}} by {{last_updated_by}} |
---|---|---|---|
2 | |||
3 | 1 | Jon Goldberg | # Inherited Site Security Review |
4 | |||
5 | 3 | Jon Goldberg | This is a checklist of steps to take when inheriting a site that Megaphone did not build. This list is not comprehensive, and we should add to it over time. |
6 | 1 | Jon Goldberg | |
7 | * Reset the passwords of server and CMS (encourage client to do latter) |
||
8 | * Disable unnecessary logins of server and CMS (encourage client to do latter) |
||
9 | * If CiviCRM, check civicrm_contact for API keys. Remove/change them. |
||
10 | * If CiviCRM, check for CiviConnect apps. |
||
11 | 3 | Jon Goldberg | * Remove interactive shell login from legitimate server users who don't need a shell: `passwd -l $USERNAME` |
12 | * Remove all unnecessary public RSA keys for ssh access `rm /home/$USERNAME/.ssh/authorized_keys*` |
||
13 | * Remove unnecessary software from the server. TODO: Explain how to find this (dpkg -l, yum list installed, ps -ef, etc.) |
||
14 | 1 | Jon Goldberg | * Review all running services on the server with service --status-all or (preferably, if using systemd) systemctl |
15 | * check listening servers with # netstat -lp |
||
16 | * compare that output to an nmap scan of localhost # nmap -sT -O localhost |
||
17 | 2 | Jon Goldberg | * they should line up closely. if nmap shows a port open that netstat does not, run a rootkit checker and investigate further. |
18 | * Compare THAT output to an nmap scan from another computer (your own - or a dev server if your ISP blocks some ports): `nmap -sT -O www.example.org` |
||
19 | 1 | Jon Goldberg | * install fail2ban if not already installed. Consider also tripwire and some iptables. |
20 | 2 | Jon Goldberg | * Check for hacks. While [this resource](https://hq.palantetech.coop/projects/commons/wiki/Unhacking_a_WordPress_site) is incomplete, it suffices for now. Despite the name, it's useful for Drupal AND WordPress. Be sure to grep a dump of the database and not just the filesystem. |